Geração de números verdadeiramente aleatórios baseados em ruído quântico

Quantum Random Number Generators (QRNGs) promise information-theoretic security by exploring the intrinsic probabilistic properties of quantum mechanics. In practice, their security frequently relies on a number of assumptions over physical devices. In this thesis, a randomness generation framework that explores the amplitude quadrature fluctuations of a vacuum state was analyzed. It employs a homodyne measurement scheme, which can be implemented with low-cost components, and shows potential for high performance with remarkable stability. A mathematical description of all necessary stages was provided as security proof, considering the quantization noise introduced by the analog-to-digital converter. The impact of experimental limitations, such as the digitizer resolution or the presence of excess noise due to an unbalanced detection, was characterized. Moreover, we propose a framework to estimate the excess entropy introduced by an unbalanced detection, and its high impact within the Shannon entropy model was experimentally verified. Furthermore, a real-time dedicated QRNG scheme was implemented and validated. The variance characterization curve of the homodyne detector was measured, and the quantum fluctuations were determined to be preponderant for an impinging power PLO < 45.7mW. By estimating the worst-case min-entropy conditioned on the electronic noise, approximately 8.39 true random bits can be extracted from each sample, yielding a maximum generation rate of 8.23 Gbps. With a lengthcompatible Toeplitz-hashing algorithm, these can be extracted at 75 Mbps with an upper security bound of 2−105, which illustrates the quality of this implementation. Moreover, the generation scheme was validated and verified to pass all the statistical tests of the NIST, DieHarder, and TestU01’s SmallCrush batteries, as well as most of TestU01’s Crush evaluations. Finally, we propose a framework for time-interleaving the entropy source within a classical communication channel, which removes the need for a dedicated generation device. After assessing the conditions where quantum noise is dominant, support for generation rates up to 1.3 Gbps was observed. The random bitstream was subjected to the NIST randomness test suite and consistently passed all evaluations. Moreover, a clean quadrature phase shift keying constellation was recovered, which supports the multi-purpose function of the scheme.Geradores quânticos de números aleatórios (QRNGs) prometem sistemas informação-teoricamente seguros explorando as propriedades intrinsecamente probabilísticas da mecânica quântica. No entanto, experimentalmente, um conjunto de pressupostos é tipicamente imposto sobre os dispositivos experimentais. Nesta dissertação, analisou-se uma abordagem para geração de números aleatórios que explora as flutuações de amplitude em quadratura de um estado vácuo. Para tal, recorre-se a um esquema de deteção homodina que permite um elevado desempenho e estabilidade, requerendo apenas dispositivos de baixo custo. Um modelo matemático das diferentes etapas do gerador foi desenvolvido de forma a fornecer uma prova de segurança, e contabilizou-se o ruído de discretização introduzido pelo conversor analógico-digital. Adicionalmente, caracterizou-se o impacto de imperfeições experimentais como a resolução do conversor analógico-digital e a presença de ruído em excesso como consequência de uma deteção não balanceada. Uma abordagem para estimar esta contribuição no modelo de entropia de Shannon foi também proposta e experimentalmente verificada. Adicionalmente, uma implementação em tempo-real foi caracterizada. A curva de caracterização do detetor homodino foi experimentalmente verificada, e uma preponderância de ruído quântico observado para potências óticas inferiores a 45.7mW. Através de uma estimativa da min-entropy condicionada ao ruído eletrónico, aproximadamente 8.39 bits por medição podem ser extraídos, o que corresponde a uma taxa de geração máxima de 8.23 Gbps. Estes podem ser extraídos a uma taxa de 75 Mbps com um parâmetro de segurança de 2−105, ilustrativo da qualidade desta implementação, através de um algoritmo eficiente de multiplicação de matrizes de Toeplitz. Posteriormente, o esquema foi validado, passando todos os testes estatísticos das baterias NIST, DieHarder, e SmallCrush, assim como a maioria das avaliações contidas na bateria Crush. Por último, foi proposta uma abordagem para integrar esta fonte de entropia num canal de comunicação clássico, removendo desta forma a necessidade de uma implementação dedicada. Após avaliação das condições de preponderância do ruído quântico, foram observadas taxas de geração até 1.3 Gbps. Os números obtidos foram também submetidos à bateria de testes do NIST, passando consistentemente todas as avaliações. Adicionalmente, a constelação de modulação de amplitude em quadratura obtida viabiliza a operação multifuncional do sistema.Mestrado em Engenharia Físic

Analysis of partial match queries in multidimensional search trees

A la portada diu "Article-based thesis". Tesi amb diferents seccions retallades per dret de l'editor.The main contribution of this thesis is to deepen and generalize previous work done in the average-case analysis of partial match queries in several types of multidimensional search trees. In particular, our focus has been the analysis of fixed PM queries. Our results about them generalize previous results which covered the case where only one coordinate is specified in the PM query- and for any dimension-or the case of 2-dimensional data structures. Using a combinatorial approach, different to the probabilistic approaches used by other researchers, we obtain asymptotic formulas for the expected cost of fixed PM queries in relaxed and standard K-d trees. We establish that, in both cases, the expected cost satisfies a common pattern in the relationship with the expected cost of random PM queries. Moreover, the same pattern appeared in the analysis, previously done by other researchers, of the expected cost of fixed partial match in 2-dimensional quad trees. Those results led us to conjecture that such formula would be pervasive to describe the expected cost of partial match queries in many different multidimensional trees, assuming some additional technical conditions about the family of multidimensional search trees under consideration. Indeed, we prove this to be the case also for K-dimensional quad trees. However, we disprove that conjecture for a new variant of K-d trees with local balancing that we define: relaxed K-dt trees. We analyze the expected cost of random PM queries and fixed PM queries in them and, while we do not find a closed-form expression for the expected cost of xed PM queries, we prove that it cannot be of the same form that we had conjectured. For random PM queries in both relaxed and standard K-dt trees, we obtain two very general results that unify several specific results that appear scattered across the literature. Finally, we also analyze random PM queries in quad-K-d trees -a generalization of both quad trees and K-d trees- and obtain a very general result that includes as particular cases previous results in relaxed K-d trees and quad trees.La principal contribución de esta tesis es profundizar y generalizar resultados anteriores referentes al análisis en caso medio de búsquedas parciales en varios tipos de árboles multidimensionales de búsqueda. En particular nos enfocamos en el análisis de búsquedas parciales fijas. Nuestros resultados sobre ellas generalizan resultados previos que cubren el caso donde solamente una coordenada es especificada en la búsqueda parcial-y para cualquier dimensión-o el caso de estructuras de datos de dos dimensiones. Usando un enfoque combinatorio, diferente a los enfoques probabilísticos utilizados por otros investigadores, obtenemos fórmulas asintóticas para el costo esperado de búsquedas parciales fijas en árboles K-d relajados y estándares. Establecemos que, en ambos casos, el costo esperado satisface un patrón común en la relación con el costo esperado de búsquedas parciales aleatorias. Además, el mismo patrón apareció en el análisis, previamente hecho por otros investigadores, del costo esperado de búsquedas parciales fijas en quadtrees de dos dimensiones. Esos resultados nos llevaron a conjeturar que tal fómula sería generalizada para describir el costo esperado de consultas de búsqueda parcial en muchos árboles multidimensionales diferentes, asumiendo algunas condiciones técnicas adicionales sobre la familia de árboles multidimensionales de búsqueda bajo consideración. De hecho, demostramos que este también es el caso en quadtrees de K dimensiones. Sin embargo, definimos una nueva variante de árboles K-d con reorganizacion local que cumplen tales condiciones, los árboles K-dt relajados, analizamos el costo esperado de búsquedas parciales aleatorias y fijas en ellos y, aunque no encontramos una expresión cerrada para el coste esperado de las búsquedas parciales fijas, demostramos que no puede ser de la misma forma que habíamos conjeturado. También obtenemos dos resultados muy generales para busquedas parciales aleatorias en árboles K-dt relajados y estándares que unifican varios resultados específicos que aparecen dispersos en la literatura. Finalmente, analizamos búsquedas parciales aleatorias en una generalizacion de quadtrees y árboles K-d, llamada árboles quad-K-d, y obtenemos un resultado general que incluye como casos particulares resultados previos en árboles K-d relajados y quadtrees.Són moltes les aplicacions en què es requereix administrar col·leccions de dades multidimensionals, en les quals cada objecte és identificat per un punt en un espai real o abstracte; un exemple paradigmàtics són els sistemes d’informació geogràfica. Aquestes aplicacions fan servir sovint estructures de dades multidimensionals que permetin consultes associatives -aquelles on s'especifiquen condicions per a més d'una coordenada- a més de les operacions tradicionals d’inserció, actualització, eliminació i cerca exacta. Un dels principals tipus de consultes associatives és la cerca parcial, on només s'especifiquen algunes coordenades i l'objectiu és determinar quins objectes coincideixen amb elles. Les consultes de cerca parcial són particularment importants perquè la seva anàlisi forma la base de l’anàlisi d'altres tipus de consultes associatives, com ara les cerques per rangs ortogonals (quins punts estan dins d'una àrea (hiper)rectangular donada?), les consultes per regió (per exemple, donats un punt i una distància, quins punts estan a aquesta distància o menys d'aquest punt?) o les consultes del veí més proper (on cal trobar els k punts més propers a un punt donat). En aquesta tesi analitzem en profunditat el rendiment mitjà de les cerques parcials en arbres multidimensionals de cerca representatius, els quals constitueixen una subclasse significativa de les estructures de dades multidimensionals. Els arbres multidimensionals de cerca, en particular els quadtrees i els arbres K-d, van ser definits a mitjans de la dècada dels anys 1970 com una generalització dels arbres binaris de cerca. Les consultes de cerca parcial s'hi responen realitzant un recorregut recursiu d'alguns subarbres. Durant molts anys l’anàlisi en arbres multidimensionals de cerca es va fer amb la suposició important, i sovint implícita, que en cada crida recursiva es generen a l'atzar noves coordenades de la consulta de cerca parcial. La raó d'aquesta suposició simplificadora va ser que, per als costos mitjans, aquesta anàlisi és equivalent a analitzar el rendiment de l'algorisme de cerca parcial quan l'entrada és una consulta de cerca parcial aleatòria. A principis d'aquesta dècada, alguns equips van començar a analitzar el cas mitjà de cerques parcials sense aquesta suposició: les coordenades especificades de la consulta romanen fixes durant totes les crides recursives. Aquestes consultes s'anomenen cerques parcials fixes. L'objectiu d'aquest enfocament recent és analitzar el rendiment de l'algorisme de cerca parcial, però ara les quantitats d’interès depenen de la consulta particular q donada com a entrada. L’anàlisi de cerques parcials fixes, juntament amb el de les aleatòries -que té un paper important per a l’anàlisi de les primeres- ens dóna una descripció molt detallada i precisa del rendiment de l'algorisme de cerca parcial que podria ser estesa a altres consultes associatives rellevants. La principal contribució d'aquesta tesi és aprofundir i generalitzar resultats previs referents a l’anàlisi en cas mitjà de les cerques parcials en diversos tipus d'arbres multidimensionals de cerca. En particular ens enfoquem en l’anàlisi de les cerques parcials fixes. Els nostres resultats en generalitzen resultats previs els quals cobreixen el cas on només una coordenada està especificada a la cerca parcial i per a qualsevol dimensió no el cas d'estructures de dades de dues dimensions. Usant un enfocament combinatori, diferent als enfocaments probabilístics utilitzats per altres investigadors, obtenim fórmules asimptòtiques per al cost esperat de cerques parcials fixes en arbres K-d relaxats i estàndards. Establim que, en tots dos casos, el cost esperat satisfà un patró comú en la relació amb el cost esperat de cerques parcials aleatòries. A més, el mateix patró va aparèixer en l’anàlisi, prèviament fet per altres investigadors, del cost esperat de cerques parcials fixes en quadtrees de dues dimensions. Aquests resultats ens van portar a conjecturar que tal fórmula seria general per descriure el cost esperat de consultes de cerca parcial en molts arbres multidimensionals diferents, assumint algunes condicions tècniques addicionals sobre la família d'arbres multidimensionals de cerca sota consideració. De fet, demostrem que aquest és també el cas pels quadtrees de K dimensions. Tanmateix, definim una nova variant de arbres K-d amb equilibri local que compleixen aquestes condicions, els arbres K-dt relaxats, n'analitzem el cost esperat de cerques parcials aleatòries i fixes i, tot i no trobar una expressió tancada per al cost esperat de les cerques parcials fixes, demostrem que no pot ser de la mateixa forma que havíem conjecturat. També obtenim dos resultats molt generals per a les cerques parcials aleatòries en arbres K-dt relaxats i estàndards, els quals unifiquen diversos resultats específics que apareixen dispersos a la literatura. Finalment, analitzem cerques parcials aleatòries en una generalització de quadtrees i arbres K-d, anomenada arbres quad-K-d, i obtenim un resultat general que inclou com a casos particulars resultats previs en arbres K-d relaxats i quadtreesPostprint (published version

On the performance of helper data template protection schemes

The use of biometrics looks promising as it is already being applied in elec- tronic passports, ePassports, on a global scale. Because the biometric data has to be stored as a reference template on either a central or personal storage de- vice, its wide-spread use introduces new security and privacy risks such as (i) identity fraud, (ii) cross-matching, (iii) irrevocability and (iv) leaking sensitive medical information. Mitigating these risks is essential to obtain the accep- tance from the subjects of the biometric systems and therefore facilitating the successful implementation on a large-scale basis. A solution to mitigate these risks is to use template protection techniques. The required protection properties of the stored reference template according to ISO guidelines are (i) irreversibility, (ii) renewability and (iii) unlinkability. A known template protection scheme is the helper data system (HDS). The fun- damental principle of the HDS is to bind a key with the biometric sample with use of helper data and cryptography, as such that the key can be reproduced or released given another biometric sample of the same subject. The identity check is then performed in a secure way by comparing the hash of the key. Hence, the size of the key determines the amount of protection. This thesis extensively investigates the HDS system, namely (i) the the- oretical classication performance, (ii) the maximum key size, (iii) the irre- versibility and unlinkability properties, and (iv) the optimal multi-sample and multi-algorithm fusion method. The theoretical classication performance of the biometric system is deter- mined by assuming that the features extracted from the biometric sample are Gaussian distributed. With this assumption we investigate the in uence of the bit extraction scheme on the classication performance. With use of the the- oretical framework, the maximum size of the key is determined by assuming the error-correcting code to operate on Shannon's bound. We also show three vulnerabilities of HDS that aect the irreversibility and unlinkability property and propose solutions. Finally, we study the optimal level of applying multi- sample and multi-algorithm fusion with the HDS at either feature-, score-, or decision-level

Assumptions in Quantum Cryptography

Quantum cryptography uses techniques and ideas from physics and computer science. The combination of these ideas makes the security proofs of quantum cryptography a complicated task. To prove that a quantum-cryptography protocol is secure, assumptions are made about the protocol and its devices. If these assumptions are not justified in an implementation then an eavesdropper may break the security of the protocol. Therefore, security is crucially dependent on which assumptions are made and how justified the assumptions are in an implementation of the protocol. This thesis is primarily a review that analyzes and clarifies the connection between the security proofs of quantum-cryptography protocols and their experimental implementations. In particular, we focus on quantum key distribution: the task of distributing a secret random key between two parties. We provide a comprehensive introduction to several concepts: quantum mechanics using the density operator formalism, quantum cryptography, and quantum key distribution. We define security for quantum key distribution and outline several mathematical techniques that can either be used to prove security or simplify security proofs. In addition, we analyze the assumptions made in quantum cryptography and how they may or may not be justified in implementations. Along with the review, we propose a framework that decomposes quantum-key-distribution protocols and their assumptions into several classes. Protocol classes can be used to clarify which proof techniques apply to which kinds of protocols. Assumption classes can be used to specify which assumptions are justified in implementations and which could be exploited by an eavesdropper. Two contributions of the author are discussed: the security proofs of two two-way quantum-key-distribution protocols and an intuitive proof of the data-processing inequality.Comment: PhD Thesis, 221 page

Dial C for Cipher

We introduce C, a practical provably secure block cipher with a slow key schedule. C is based on the same structure as AES but uses independent random substitution boxes instead of a fixed one. Its key schedule is based on the Blum-Blum-Shub pseudo-random generator, which allows us to prove that all obtained security results are still valid when taking into account the dependencies between the round keys. C is provably secure against several general classes of attacks. Strong evidence is given that it resists an even wider variety of attacks. We also propose a variant of C with simpler substitution boxes which is suitable for most applications, and for which security proofs still hold

Blockchain Enabled Platforms for the Internet of Things

The Blockchain and the Internet of Things (IoT) have gained a lot of attention in the last few years, since both technologies enable the possibility of creating a more connected and independent world. This combination enables the design of computing systems and cyber-physical environments without the need of centralized trusted entities, giving users the freedom and control of their operations, in a decentralized ledger model. By using storing and logging mechanisms supported by the Blockchain, data is immutable and independently audited, guaranteeing that it is neither modified nor deleted. At the same time, applications can benefit from the reliability and fault-tolerance assumptions provided by the Blockchain in supporting transactions between users and involved devices. In this thesis, it was studied and proposed a generic solution for a Blockchain-enabled IoT software architecture. The proposed solution enables the advantages of using decentralized logging and ledgering, without the interference of central authorities, inherently supported by the base Blockchain reliability, availability and security foundations. These capabilities are envisaged as key-benefits for a new generation of clean-slate approaches for IoT applications with the required scalability criteria. The research conducted in the dissertation work, studied the base software foundations, relevant components and implementation options that enable the identified advantages of using Blockchain components and services, to leverage more scalable and trustable IoT platforms. Our proposed solution aims to provide an architecture that contributes to a more appropriate design for secure and reliable IoT systems. In this trend we propose a better use of edge-based support for local-enabled processing environments supporting IoT devices and users’ interactions, with operations intermediated by proximity hubs acting as gateways to the Blockchain, where the operations are regulated and controlled by verifiable smart-contracts involving data and transactions

On Some Symmetric Lightweight Cryptographic Designs

This dissertation presents cryptanalysis of several symmetric lightweight primitives, both stream ciphers and block ciphers. Further, some aspects of authentication in combination with a keystream generator is investigated, and a new member of the Grain family of stream ciphers, Grain-128a, with built-in support for authentication is presented. The first contribution is an investigation of how authentication can be provided at a low additional cost, assuming a synchronous stream cipher is already implemented and used for encryption. These findings are then used when presenting the latest addition to the Grain family of stream ciphers, Grain-128a. It uses a 128-bit key and a 96-bit initialization vector to generate keystream, and to possibly also authenticate the plaintext. Next, the stream cipher BEAN, superficially similar to Grain, but notably using a weak output function and two feedback with carry shift registers (FCSRs) rather than linear and (non-FCSR) nonlinear feedback shift registers, is cryptanalyzed. An efficient distinguisher and a state-recovery attack is given. It is shown how knowledge of the state can be used to recover the key in a straightforward way. The remainder of this dissertation then focuses on block ciphers. First, a related-key attack on KTANTAN is presented. The attack notably uses only a few related keys, runs in less than half a minute on a current computer, and directly contradicts the designers' claims. It is discussed why this is, and what can be learned from this. Next, PRINTcipher is subjected to linear cryptanalysis. Several weak key classes are identified and it is shown how several observations of the same statistical property can be made for each plaintext--ciphertext pair. Finally, the invariant subspace property, first observed for certain key classes in PRINTcipher, is investigated. In particular, its connection to large linear biases is studied through an eigenvector which arises inside the cipher and leads to trail clustering in the linear hull which, under reasonable assumptions, causes a significant number of large linear biases. Simulations on several versions of PRINTcipher are compared to the theoretical findings

Secure and Usable User Authentication

Authentication is a ubiquitous task in users\u27 daily lives. The dominant form of user authentication are text passwords. They protect private accounts like online banking, gaming, and email, but also assets in organisations. Yet, many issues are associated with text passwords, leading to challenges faced by both, users and organisations. This thesis contributes to the body of research enabling secure and usable user authentication, benefiting both, users and organisations. To that end, it addresses three distinct challenges. The first challenge addressed in this thesis is the creation of correct, complete, understandable, and effective password security awareness materials. To this end, a systematic process for the creation of awareness materials was developed and applied to create a password security awareness material. This process comprises four steps. First, relevant content for an initial version is aggregated (i.e. descriptions of attacks on passwords and user accounts, descriptions of defences to these attacks, and common misconceptions about password and user account security). Then, feedback from information security experts is gathered to ensure the correctness and completeness of the awareness material. Thereafter, feedback from lay-users is gathered to ensure the understandability of the awareness material. Finally, a formal evaluation of the awareness material is conducted to ensure its effectiveness (i.e. whether the material improves participant\u27s ability to assess the security of passwords as well as password-related behaviour and decreases the prevalence of common misconceptions about password and user account security). The results of the evaluation show the effectiveness of the awareness material: it significantly improved the participants\u27 ability to assess the security of password-related behaviour as well as passwords and significantly decreased the prevalence of misconceptions about password and user account security. The second challenge addressed in this thesis is shoulder-surfing resistant text password entry with gamepads (as an example of very constrained input devices) in shared spaces. To this end, the very first investigation of text password entry with gamepads is conducted. First, the requirements of authentication in the gamepad context are described. Then, these requirements are applied to assess schemes already deployed in the gamepad context and shoulder-surfing resistant authentication schemes from the literature proposed for non-gamepad contexts. The results of this assessment show that none of the currently deployed and only four of the proposals in the literature fulfil all requirements. Furthermore, the results of the assessment also indicate a need for an empirical evaluation in order to exactly gauge the shoulder-surfing threat in the gamepad context and compare alternatives to the incumbent on-screen keyboard. Based on these results, two user studies (one online study and one lab study) are conducted to investigate the shoulder-surfing resistance and usability of three authentication schemes in the gamepad context: the on-screen keyboard (as de-facto standard in this context), the grid-based scheme (an existing proposal from the literature identified as the most viable candidate adaptable to the gamepad context during the assessment), and Colorwheels (a novel shoulder-surfing resistant authentication scheme specifically designed for the gamepad context). The results of these two user studies show that on-screen keyboards are highly susceptible to opportunistic shoulder-surfing, but also show the most favourable usability properties among the three schemes. Colorwheels offers the most robust shoulder-surfing resistance and scores highest with respect to participants\u27 intention to use it in the future, while showing more favourable usability results than the grid-based scheme. The third challenge addressed in this thesis is secure and efficient storage of passwords in portfolio authentication schemes. Portfolio authentication is used to counter capture attacks such as shoulder-surfing or eavesdropping on network traffic. While usability studies of portfolio authentication schemes showed promising results, a verification scheme which allows secure and efficient storage of the portfolio authentication secret had been missing until now. To remedy this problem, the (t,n)-threshold verification scheme is proposed. It is based on secret sharing and key derivation functions. The security as well as the efficiency properties of two variants of the scheme (one based on Blakley secret sharing and one based on Shamir secret sharing) are evaluated against each other and against a naive approach. These evaluations show that the two (t,n)-threshold verification scheme variants always exhibit more favourable properties than the naive approach and that when deciding between the two variants, the exact application scenario must be considered. Three use cases illustrate as exemplary application scenarios the versatility of the proposed (t,n)-threshold verification scheme. By addressing the aforementioned three distinct challenges, this thesis demonstrates the breadth of the field of usable and secure user authentication ranging from awareness materials, to the assessment and evaluation of authentication schemes, to applying cryptography to craft secure password storage solutions. The research processes, results, and insights described in this thesis represent important and meaningful contributions to the state of the art in the research on usable and secure user authentication, offering benefits for users, organisations, and researchers alike